CVE-2026-6981 MEDIUM

CVE-2026-6981: IhateCreatingUserNames2 AiraHub2 Endpoint AiraHub.py sync_agents server-side request forgery

Vendor Ihatecreatingusernames2
Product AiraHub2
Weakness CWE-918 · SSRF
Published April 25, 2026
Last update April 27, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was found in IhateCreatingUserNames2 AiraHub2 up to 3e4b77fd7d48ed811ffe5b8d222068c17c76495e. Affected is the function connect_stream_endpoint/sync_agents of the file AiraHub.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. Multiple endpoints are affected. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

April 25, 2026 CVE published
April 27, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-1273 PostX <= 5.0.8 - Authenticated (Administrator+) Server-Side Request Forgery via REST API Endpoints CVE-2026-33401 Wallos: Incomplete fix for CVE-2026-30840 - SSRF in AI and notification endpoints bypass ssrf_helper.php CVE-2026-26322 OpenClaw Gateway tool allowed unrestricted gatewayUrl override CVE-2024-31288 WordPress RapidLoad plugin <= 2.2.11 - Server Side Request Forgery (SSRF) vulnerability CVE-2026-6514 InfusedWoo Pro <= 5.1.2 - Unauthenticated Arbitrary File Read via 'url' Parameter